Selfie Password Concerns

MasterCard started an unprecedented program to make online purchases more secure by using a mere selfie as a password. Few months later, Amazon is looking forward to do that as well. It seems that this idea won't take long to become a trend after being adopted by giants, thus I spared some time to discuss the good, bad and ugly sides of it. The good and bad may be easy to guess, but you may not be aware how ugly it can turns to.

Good

You are used to it:

There is no need to educate people on how to take selfies. In this era, you've taken at least one selfie already;

You don't need to remember:

There won't be a need for writing your password in a post-it or visiting a 'recover my selfie' page;

It's "strong" by default:

Many still use '123456' as a password, but selfies are strong by default as they contain all your facial traces, thus making it unique;

Everyone owns a cell phone:

Sometimes more than one, as prices became very affordable for some devices.

Bad

This article highlighted many tips that you should follow if you want to your selfie to be recognized, otherwise chances are that the software will fail to detect who you are;

Perhaps not so fast:

If you're in a desktop or using a password manager, chances are that taking a selfie will slow you down. Even if by seconds, the user experience is affected. You can make an analogy by comparing to voice messages on WhatsApp. Although it's practical, comes with a speed trade-off compared to typing;

Too much trust on devices:

Suppose that we're talking about an Android mobile phone for example. The mobile application must access the camera to take the selfie, right? So imagine a scenario where the camera is taintet and instead of sending to the app the photo just taken (selfie), it sends an already saved image to the app. Suppose that this already saved image is a selfie from someone else, let's call him John. Will the server consider the "selfie" it received as being a selfie from John? Yes, that would be a "Selfie Hijacking". That's the risk of trusting too much on devices.

"Selfie Captcha": to prevent such attacks, I imagined something as a 'selfie captcha', where you should make a certain pose when taking the selfie, e.g., blink one eye and show 2 fingers of your left hand. The more combinations, the more secure it will be. Although that would be awkward and could be exploited if the attacker knows the challenge and have Adobe Photoshop skills. Pretty interesting, huh? What a weird skill for a penetration tester, don't you think?;

Cross-device validation: it may be unpractical for masses, so other alternatives would be to consider selfie as another factor only. The first time the user login he uses his password and then use only selfies to confirm purchases. Other ideas would include cross-validations using Internet of Things (IoT) devices to check for heart beat, pressure, etc. That also would be complicated when it come to masses, so the best option I can see is to use selfie as another factor, without removing the passwords;

Selfie from Photo: another kind of attack that shall emerge is just to print a selfie from someone else, e.g., John, and put it in front of the camera. This attack is much easier to be performed and doesn't require any changes on the device, e.g., jailbreaking;

So if you were 'selfie hijacked', that would be complicated to get another face to protect your account. That's one more reason to not rely solely on selfies.

Ugly (hint: it's all about Privacy)

You won't feel much comfortable to take selfie in some places:

What about making a purchase from your bathroom while doing your business? That won't be very comfortable anymore, in case it ever was. It's already restricting to play WhatsApp voice messages as you don't know what the other person will say. Taking a picture is as bad as that;

You'll be sharing MUCH more data:

Kangairo! Your face isn't the only thing in a photo. You'll be sharing the face of people around you, your location, objects around you, what you are wearing and whatever could be find in your selfie. So what? You may wonder. Let me give you some ideas about what Amazon or any other company could do:

Suggest new products: just by mapping what objects are around you, it can deduce what you'll need next with a great precision. They already have the software for that;

Map your relationship to people near you: suppose that your friend sneaks by in your selfie. Later on this friend of yours buy something on Amazon, thus sending them his data. It may be possible to suggest products to him based on your purchase;

Conclusion

Biometrics lead the world to convenience, which usually is a conflicting topic when they meet security, but it seems that they are here to stay. Starting with iPhone's fingerprinting and now selfies (although I know, there are many attacks out there regarding the fingerprinting already. Chaos Computer Club has proven that to the world).

Selfies are a very good step to increase the security to masses, but relying solely on them would be reckless given the arguments above. Using it as a one more step would be good, although the privacy concerns shouldn't be overlooked. Users must know what is going under the hood before using it. Companies shouldn't hide what will happen to the user data solely on the privacy terms. It isn't a good way to educate. Let's see what comes next.